SAP Cybersecurity Incidents. What lessons should be learned from them?

SAP security used to be a terra incognita with almost no real attacks on SAP systems known to the public. However, times have changed. Several weeks ago, after the US-CERT alert, almost all the media have published a sensational news concerning potential attacks on SAP systems of the largest companies worldwide.

The news was rather shocking and raised many questions, as it turned out that SAP systems can be hacked by attackers, and what is more, it was state-sponsored Chinese hackers who did so.

Although SAP Security incidents were known since 2012 and experts have been warning about them for the last 10 years, this news stirred up public opinion much more than the previous ones. Even though because of the news a lot of people started to take SAP Security seriously, the situation still requires some clarifications. So, let’s look at the most significant incidents related to SAP Cybersecurity that happened within the last 5 years.

It was the first attack on SAP systems in the public eye. The Anonymous group claimed to have stolen Greek Ministry of Finance confidential documents and credentials. According to their statement from AnonPaste, the hack was intended to protest the worsening economic situation in Greece. Anonymous posted a compressed file containing credentials. Anonymous said they had accessed IBM servers and that they obtained an SAP zero-day exploit.

Regardless of the fact that the attack wasn’t approved or denied by the ministry, there is no reason to not believe that it was real. Anyway, this case illustrates that hackers were interested in exploiting SAP systems even 4 years ago.

Incident 2. November 2013: SAP malware

The first malware targeting SAP appeared 2013. A Trojan program not only targeted online banking accounts but also contained special code to examine if infected workstation had SAP client applications installed. It means that attackers might target SAP systems in the future.

To intercept data, the malware used a traffic analyzer, a system that monitors web banking activities, and a screengrabber. It was aimed to collect user input from various window forms, to gather certificate files from secure workflow systems, and to send this information to the attackers’ server. And in this case, it already had access to the infected workstation and detected that SAP client was installed, consequently, the computer had access to the SAP server. The Trojan was capable of making screenshots of logons into the SAP system and collecting important system data. It also had keylogging functionality to steal passwords input during logon. This information is enough to perform a lot of malicious actions on an SAP server, so this data could be sold to third parties.

Incident 3. January 2014: Attack on NVidia

In January 2014, NVidia customer service website was probably attacked. Chinese finder of the vulnerability that allows the attack, nicknamed Finger, claimed he notified NVidia about the issue on November 21, 2013. In fact, on January 5, 2014, information about vulnerability was posted on a Chinese vulnerability forum, WooYun.org. The issue is marked as “unable to contact the vendor or actively neglected by the vendor”. The NetWeaver vulnerability had been closed by SAP 3 years before the incident, but NVidia hadn’t implemented the appropriate patch. On January 8, 2014, NVidia took the customer service website offline for two weeks for investigation.

Unfortunately, then it comes to implementing patches, NVidia is not an exception. Many SAP administrators don’t implement SAP Security Notes (security patches released by SAP), as this process may seem costly and time-consuming.

Within 3 years when the attack could happen, SAP released more than 3500 Security Notes to close SAP vulnerabilities. Most can only be exploited if one has access to the corporate network, but some attacks can be conducted remotely. If a company uses web-based modules such as Portal or CRM, it’s recommended to update them in time.

Incident 4. May 2015: attack on USIS via an SAP vulnerability

On May 11, all security media exploded with a news about an attack on USIS, a federal contractor that conducts background checks for DHS. The hack was potentially carried out by China-sponsored hackers. The breach dates back to 2013, when hackers broke into USIS by exploiting an SAP system managed by a third party.

As a result of the incident, more than 27,000 personnel may have been compromised. USIS lost the contract with OPM, cut 2500 jobs, and the owner of USIS filed for bankruptcy.

Why can such attacks occur? To automate business processes, different modules have to be interconnected. ERPScan’s research revealed that the average number of connections in SAP systems is approximately 50, and 30% of them usually store credentials. Once attackers break into the weakest SAP module, they can easily get access to connected systems and from them to other ones and even to other organizations’ systems.

On May 11, 2016, the Department of Homeland Security published the first-ever US-CERT Alert for Cybersecurity of SAP business applications. As it was stated, attackers used an invoker servlet vulnerability in SAP Application server to penetrate into 36 multinationals in 2013–2016. The exploitation of this vulnerability may provide remote unauthenticated cybercriminals with full access to affected SAP systems.

The news was based on the information from Chinese forums where researchers shared details about public systems which have vulnerabilities. Therefore, it is not a certain fact that all the vulnerable systems are examples of real cyberattacks, but an indirect evidence proves that such attacks can be performed remotely. E.g., one of our Network sensors of global threat intelligence platform has recently (dd 12/4/2016, 14:19-14:20) identified the attack attempt exploiting the similar kind of issue, but it was the only example against one sensor.

The matter here is not only the verified fact of the attacks but the number of systems susceptible to this issue. In addition to 36 systems stated in the US-CERT report, we revealed that approximately 533 systems worldwide which are potentially vulnerable to one of Invoker servlet vulnerabilities. Taking into account that most of them are Fortune 2000 companies, it’s quite a critical issue to discuss. For those who want to know more about the attack please look at the “Was it a real cyberattack on SAP using invoker servlet” article.

Conclusion

Even the topic of SAP security incidents only (not speaking about SAP cybersecurity in general) is too large to be covered in one article. So, the aim was not to provide an exhaustive review on SAP cybersecurity incidents. In terms of practice, the essential part is 3 takeaways for CISOs how to keep SAP applications as secure as possible:

When it comes to advanced cyberattacks, you can’t rely only on traditional security solutions.

You can’t be sure that SAP Applications are secure unless you really monitor it from all angles: Vulnerability Assessment, Custom code security, SoD – every area should be on the radar.

Most important for business applications is that they are highly interconnected, and it’s not only the problem of the infrastructure security but of all your external connections and its secure configuration, as well as 3rd party security.